Skip to content

fix(security): sanitize pagination parameters to prevent DB errors#34

Closed
Shreyassp002 wants to merge 1 commit into
mainfrom
fix-pagination-params-7051721128769812940
Closed

fix(security): sanitize pagination parameters to prevent DB errors#34
Shreyassp002 wants to merge 1 commit into
mainfrom
fix-pagination-params-7051721128769812940

Conversation

@Shreyassp002
Copy link
Copy Markdown
Contributor

@Shreyassp002 Shreyassp002 commented May 3, 2026

Category: Security
Priority: P1
What: Updated limit and offset parsing logic across 4 transaction and payment-link API routes. parseInt now explicitly uses base 10 and explicitly handles NaN and negative values by falling back to safe defaults before applying the Math.min() limit constraint.
Why: If an API client queries ?limit=not-a-number or ?offset=-10, parseInt would return NaN or a negative value respectively. This gets passed into Supabase .range() or .limit(), causing the database query to fail or throw unhandled promise rejections, resulting in 500 API errors and breaking functionality.
Impact: Paginated API endpoints are now robust against malformed input parameters, ensuring they return safe fallback defaults instead of database errors.
Verification:

  • Ran npm run lint successfully.
  • Ran NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID=dummy npm run build successfully.

PR created automatically by Jules for task 7051721128769812940 started by @Shreyassp002

@google-labs-jules @Shreyassp002
fix(security): sanitize pagination parameters to prevent DB errors
7790820 
Sanitize `limit` and `offset` in paginated API endpoints using `parseInt`
with base 10 and fallback values. This prevents Supabase errors when these
parameters evaluate to `NaN` or negative numbers.

Addressed endpoints:
- `src/app/api/transactions/history/route.ts`
- `src/app/api/transactions/route.ts`
- `src/app/api/v1/payment-links/route.ts`
- `src/app/api/v1/transactions/route.ts`

Co-authored-by: Shreyassp002 <96625037+Shreyassp002@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented May 3, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
flash-protocol Error Error May 3, 2026 6:16am

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

⚡ Flash Review

Metric Value
Files Reviewed 4
Risk Level 🔴 High
Issues Found 🚨 2 Critical · ⚠️ 0 Warnings · 💡 0 Suggestions

🚨 Critical (must fix before merge)

  • src/app/api/v1/payment-links/route.ts:L186 — Critical input validation for limit is missing, risking DB errors or data exposure.
  • src/app/api/v1/payment-links/route.ts:L190 — Essential input validation for offset is missing, risking query failures or incorrect data.

github-actions[bot]
github-actions Bot reviewed May 3, 2026
View reviewed changes
Comment thread src/app/api/v1/payment-links/route.ts
const { searchParams } = new URL(req.url)
const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100)
const offset = parseInt(searchParams.get('offset') || '0')
let parsedLimit = parseInt(searchParams.get('limit') || '10', 10)
Copy link
Copy Markdown

@github-actions github-actions Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flash Review

🚨 Security: Critical input validation for limit. Without this check, non-numeric or negative values could result in NaN or invalid numbers being passed to the database, potentially causing query errors, unexpected data exposure, or even denial of service if the database layer handles invalid parameters poorly. Always sanitize and validate API inputs.

Comment thread src/app/api/v1/payment-links/route.ts
if (isNaN(parsedLimit) || parsedLimit < 1) parsedLimit = 10
const limit = Math.min(parsedLimit, 100)

let offset = parseInt(searchParams.get('offset') || '0', 10)
Copy link
Copy Markdown

@github-actions github-actions Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flash Review

🚨 Security: Essential input validation for offset. Allowing NaN or negative values to reach the database could lead to query failures, incorrect data retrieval, or expose internal errors. Robust validation of all API query parameters is crucial for security and stability.

Comment thread src/app/api/v1/transactions/route.ts
const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100)
const offset = parseInt(searchParams.get('offset') || '0')
let parsedLimit = parseInt(searchParams.get('limit') || '10', 10)
if (isNaN(parsedLimit) || parsedLimit < 1) parsedLimit = 10
Copy link
Copy Markdown

@github-actions github-actions Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flash Review

🚨 Security: This explicit validation for parsedLimit is a critical improvement. It prevents NaN or values less than 1 from propagating to downstream database queries, significantly enhancing the API's robustness against malformed requests and potential service instability.

Suggestion: For comprehensive and consistent validation across all API routes, consider defining a Zod schema for all incoming query parameters.

Comment thread src/app/api/v1/transactions/route.ts
const limit = Math.min(parsedLimit, 100)

let offset = parseInt(searchParams.get('offset') || '0', 10)
if (isNaN(offset) || offset < 0) offset = 0
Copy link
Copy Markdown

@github-actions github-actions Bot May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flash Review

🚨 Security: This explicit validation for offset is a critical improvement. It prevents NaN or negative values from propagating to downstream database queries, significantly enhancing the API's robustness against malformed requests and potential service instability.

Suggestion: For comprehensive and consistent validation across all API routes, consider defining a Zod schema for all incoming query parameters.

@Shreyassp002
Copy link
Copy Markdown
Contributor Author

Shreyassp002 commented May 7, 2026

Closing as duplicate of #31 which has been merged.

@Shreyassp002 Shreyassp002 deleted the fix-pagination-params-7051721128769812940 branch May 7, 2026 07:01
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented May 7, 2026

Closing as duplicate of #31 which has been merged.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shreyassp002